1. Important information and who we are

1.1 Purpose of this Privacy Policy

Welcome to Capital One (Europe) Plc's Privacy Policy.

You trust us with your personal data and we want to be open about what
we do with it. This Privacy Policy relates to our
Range of Products and Services
and aims to give you information on how we collect and process your personal data.
It also outlines your privacy rights
including how you can access your data, correct it, restrict use of it,
erase it and/or object to it being processed.

1.2 What is Capital One's role?

Capital One (Europe) Plc is responsible for deciding why and how your personal data
is collected and processed. This makes Capital One (Europe) Plc the Data Controller
(referred to as "Capital One", "we", "us" or "our" in this Privacy Policy).

Our contact details are: Capital One, PO Box 5281, Nottingham NG2 3HX

We have appointed a Data Protection Officer ("DPO") to help make sure we are transparent
and fair about how we use your data and comply with any law that may affect your privacy.

2. The data we collect about you

2.1 What is personal data?

Personal data, or personal information, means any information about an
individual from which that person can be identified (either on its own
or when combined with other information). It does not include data where
the identity has been removed (anonymised data).

We may Process different kinds of
personal data about you, which we have grouped together as follows:

Financial Data such as your income, credit card details, payment
card details or details about other financial accounts that you may have

Account Data such as details of your account, history of changes,
financial summaries, statements and account/user/policy or reference numbers

Transaction Data such as purchases / other
transactions made on your account and payments to and from you

Technical Data such as device information and identifiers,
internet protocol (IP) addresses, your login data, browser type/usage and
versioning data based on the devices you use to access our digital platforms

Profile Data such as passwords on your accounts, preferences, feedback

Survey and Research Data such as your responses to
questionnaires, surveys, feedback requests and design or research activities

Usage Data such as information about when and how you use our products,
services processes or platforms (e.g. how often you use our mobile applications or how
you use your credit card with us)

Marketing Data such as your preference on receiving marketing from us and
information used in your interactions with us (or our partners)
(e.g cookie data used for behavioural advertising).

Communications Data such as details about any contact made
between you and us (e.g. phone calls made or received) and/or the content
of those communications (e.g. call recordings)

Special Categories of Personal Data this includes details
about your race or ethnicity, religious or philosophical beliefs, sex life,
sexual orientation, political opinions, trade union membership, criminal
convictions and offences and data concerning your health and genetic and
biometric data. We will only collect and use these types of data where we
have obtained your explicit consent or if the law allows us to do so.

We also collect, use and share Aggregated Data such as
statistical or demographic data for any purpose. Aggregated Data may be
derived from your personal data but is not considered personal data in
law as this data does not directly or indirectly reveal your identity.
For example, we may aggregate your Usage Data to calculate the percentage
of users accessing a specific website feature or our mobile app.
However, if we combine or connect Aggregated Data with your personal data
so that it can directly or indirectly identify you, we treat the combined
data as personal data which will be used in accordance with this Privacy Policy.

2.2 If you fail to provide personal data

We think it is important to tell you that where we need to collect certain personal data,
and you fail to provide the data when requested, we may not be able to perform the contract
we have or are trying to enter into with you. In this case, we may have to cancel a product
or service you have with us but we will notify you if this is the case at that time.

3. How is your personal data collected?

We use different methods to collect data from and about you including through:

Direct interactions. This is data that we collect directly
from you and includes personal data you may provide or we may obtain when you:

apply or register for our products and services;

use our products and services;

use our website or mobile device applications;

make contact with us (e.g. making a phone call);

communicate with us (e.g. when you talk to us on the phone or send emails, letters or SMS);

request marketing to be sent to you;

enter a competition or promotion;

give us feedback or take part in research or surveys.

Automated technologies or interactions. As you interact with our website
or mobile applications, we may automatically collect data including Technical Data about
your equipment, browsing actions and patterns. This personal data may be collected by
using cookies and other similar technologies. Please see our
Cookie Policy for further details.

Third parties or publicly available sources.
We may receive personal data about you from various third parties (and public sources)
as set out in 'Our third parties'.

Other. We may receive personal data about you from individuals
such as extra cardholders, people appointed to act on your behalf, family members,
and others who are acting in your best interests or providing us with information
in relation to your contact details.

4.1 Purposes for which we will use your personal data

We have set out below a description of the ways we plan to use your personal data,
the purposes for this usage and which of the legal grounds we rely on to do so.
We have also identified what our Legitimate Interests are where appropriate.
Note that we may process your personal data for more than one legal ground depending
on the specific purpose for which we are using your data. If you have a
loan product or are supporting our customers
(e.g. powers of attorney) then the reasons we process your personal data are set out separately below.

Purposes and Legal Grounds

We may process your information to:

Understand how you use products, services, processes and related
customer experiences provided by us and other organisations;

Inform the way that we manage our products, services, processes and platforms;

Communicate with you to provide updates following a credit application or eligibility check;

Communicate with you to provide updates and information while you are using,
registering or continuing to use one of our products or services;

Communicate with you for design or research purposes or to ask you about our
current or potential products, services, processes and customer experiences.

When processing your information for these purposes, we rely on our Legitimate Interest
to allow you to access our products and services. In addition, in relation to some of
the purposes, it is necessary for us to process your information for the Performance
of the Contract between us.

We may process your information to:

Enable you to access and use our online services and functionality;

Understand how you use and navigate our online services;

Tailor online experiences or develop and/or change these services;

Service and fulfil on your products and services (e.g. processing
transactions, managing account information and settings);

Provide you with rewards, offers or promotions where we
(or our partners) think you may be interested;

Keep our records up to date including updating preferences and making changes to your account;

Manage requests from you where you are exercising your data privacy rights;

Assess your personal circumstances while you are using our products and services and,
potentially, taking actions on your account based on these circumstances
(e.g. making changes to your account where you appear to be in financial difficulty);

Communicate with you for any purpose relating to the servicing of your account;

When processing your information for these purposes, we rely on our
Legitimate Interest to fulfil on our products and services. In addition,
in relation to some of the purposes, it is necessary for us to process your
information for the Performance of the Contract between us.

When processing your information for these purposes, we rely on our
Legitimate Interest to manage risk, security and crime prevention.
In addition, in relation to some of the purposes, we may process your
information to comply with a Legal Obligation.

We may process your information to:

Improve, test, investigate and remediate any issues with our internal processes and practices;

Maintain your data and ensure the data that we hold about you is accurate and up to date.

When processing your information for these purposes, we rely on our
Legitimate Interest to manage and improve our business processes

Enable us to provide legal and/or regulatory
advice in line with our business activities;

Share your online account information with regulated third parties,
known as Account Information Service Providers (AISPs) where you
have asked them to access this information.

When processing your information for these purposes, we rely on our
Legitimate Interest to satisfy our industry, regulatory and legal
requirements and exercise our rights. In addition, in relation to
some of the purposes, we may process your information to comply with
a Legal Obligation or it may be necessary to assist in relation to a
task performed in the Public Interest.

Purposes and Legal Grounds

Service and fulfil on your products and services
(e.g. processing payments in or out and managing personal information);

Communicate with you for any purpose relating to
the servicing of your products and services;

Assess, collect or recover outstanding debts from you;

To transfer ownership of your account to a third party. This may include
activities we carry out with third parties including the assessment,
pricing and handover of the debt;

To inform strategies around how we collect, recover or sell outstanding debts;
this may involve sharing data with third parties to help inform this strategy
including which third parties we work with;

Manage requests from you where you are exercising your data privacy rights.

Where we process your information for these purposes, we rely on our
Legitimate Interest to fulfil on our products and services.
In addition, in relation to some of the purposes, it is necessary for
us to process your information for the Performance of the Contract between us.

We may process your information to:

Improve our internal processes and practices; to test, investigate
and remediate any issues with these processes and practices;

Maintain your data and ensure the data that we
hold about you is accurate and up to date.

Where we process your information for these purposes, we rely on our
Legitimate Interest to manage and improve our business processes.

We may process your information to:

Assess your personal circumstances in order to support you with the right outcome;

Appropriately handle and process complaints or disputes – this may
include contacting relevant third parties to assist in their handling;

Exercise our rights in relation to complaints, disputes or litigation.

Where we process your information for these purposes, we rely on our
Legitimate Interest to satisfy our industry, regulatory and legal
requirements and exercising our rights. In addition, in relation to
some of the purposes, we may process your information to comply with a Legal Obligation.

Where we process your information for these purposes, we rely on our
Legitimate Interest to manage risk, security and crime prevention.
In addition, in relation to some of the purposes, we may process your
information to comply with a Legal Obligation.

We may process your information to:

Improve; test, investigate and remediate any
issues with our internal processes and practices;

Maintain your data and ensure the data that we hold about you is accurate and up to date.

Where we process your information for these purposes, we rely on our
Legitimate Interest to manage and improve our business processes.

We may process your information to:

Assess your personal circumstances in order to support you with the right outcome;

Appropriately handle and process complaints or disputes – this may
include contacting relevant third parties to assist in their handling;

Exercise our rights in relation to complaints, disputes or litigation;

Enable us to provide legal/regulatory advice in line with our business activities;

Cooperate with (and respond to) requests from other institutions, regulators,
law enforcement bodies and other agencies (e.g. fraud prevention agencies).

Where we process your information for these purposes, we rely on our
Legitimate Interest to satisfy our industry, regulatory and legal
requirements and exercise our rights. In addition, we may process your
information to comply with a Legal Obligation.

We may use data relating to your health to allow you to access our products and services;
fulfil on our products and services; or to manage and improve our business processes for
some of the purposes set out in this Privacy Policy (e.g. to assess whether a product or
service is right for you; to service and to take action on your account based on your personal
circumstances and/or to communicate with you in appropriate media). One of the legal grounds
for processing this data is by obtaining your explicit consent to do so, for example where we
may place markers on your account to tell us you have a health issue that you would like our
support with (e.g. having poor eyesight so you need to receive braille statements).
We may also process this information where it is in the
Substantial Public Interest.

We may use Special Categories of Personal Data to satisfy our
industry, regulatory and/or legal requirements and to exercise our rights for some of the
purposes set out in this Privacy Policy (e.g. to appropriately handle and process complaints
and disputes or to enable us to provide legal/regulatory advice). We may process this information
where it is in the Substantial Public Interest.

We may use Special Categories of Personal Data to manage risk,
security and crime prevention for some of the purposes set out above (e.g. to perform checks to
prevent, detect, investigate and report fraud, crime and/or terrorist activity).
We may process this information where it is in the Substantial Public Interest.

4.2 Marketing

We strive to provide you with choices regarding certain personal
data uses, particularly around marketing and advertising.

You will receive marketing communications from us if you have requested information
from us or provided us with your details when you applied or registered for one of
our products or services and, in each case, you have not opted out of receiving
that marketing. However,
you can ask us to stop sending you direct marketing at any time.

If you ask us to stop sending you marketing messages, you will still receive
communications pertaining to the servicing or fulfilment of your account,
product, service or relationship with us (such as statements for your credit product,
communications about your outstanding debts or relevant updates about the products
or services that you are already using).

We may also use third parties to conduct marketing activities on our behalf.

4.3 Cookies

For more information about the cookies we use, please see our Cookie Policy.

4.4 Change of purpose

We will only use your personal data for the purposes for which we collected it,
unless we reasonably consider that we need to use it for another reason and that
reason is compatible with the original purpose. If we need to use your personal
data for an unrelated purpose, we will notify you and we will explain the legal
ground which allows us to do so.

Please note that we may process your personal data without your knowledge or consent,
in compliance with the above rules, where this is required or permitted by law.

5. How we use your information to make automated decisions

Automated Decision Making, including profiling, is the processing of personal data
(that we have collected or are allowed to collect from others) by automated means
and without human involvement to evaluate personal aspects about you.

In particular, we may process data to analyse or predict (amongst other things)
your financial situation, personal preferences, interests or behaviours.
This means that automated decisions without human involvement could be made about
you for example in relation to the products and services we offer you
(e.g. credit limit change decisions or deciding which communications are suitable for you).

Here are the types of automated decisions we make:

Making Lending Decisions

For our credit products, we use automated decision making when deciding whether
to lend money to you and to determine the initial setup for our products
(e.g. what credit limit you will be offered on your credit card).
When you have an account with us, we may continue to use automated decision making
where deciding whether to offer you additional credit (e.g. where offering you a
credit limit increase).

Where making assessments of this type, we may use a technique known as "credit scoring".

We use data from these sources and our logic to predict behaviours
(e.g. how well we expect you to manage your product and make regular
payments), to group our customers (or potential customers) into
'customer segments' and to make our lending decisions (e.g. which
applicants do we accept / decline).

This approach allows us to make quick, consistent decisions, uphold our
lending requirements and ensure that we lend responsibly. These automated
decisions may lead to your credit application being declined and may limit
your ability to access further credit in the future.

Detecting Fraud

Where you apply for (or register for) one of our products or services,
we use automated processes to detect and help prevent fraud.

We may automatically decide that you pose a fraud or money laundering
risk if our processing reveals your behaviour to be consistent with
money laundering or known fraudulent conduct; or is inconsistent with
your previous submissions; or you appear to have deliberately hidden your true identity.

We may also continue to monitor your accounts, your product usage and your
transactions to determine whether your account is being used for fraudulent activities.

We combine data from these sources and defined logic to identify threats and
prevent fraud losses. If we think there is a risk of fraud, we may stop
activity on your account and/or refuse access.

Providing you with access to products and services

When you apply (or register) for one of our products or services,
we perform checks to ensure that these are suitable for your
circumstances and that we manage our business risks.

To do so, we utilise data from several sources:

information you have provided;

information we may collect or already hold about you; and

information provided by third parties.

These checks may include (but are not limited to):

checks to ensure you meet conditions for opening
an account (e.g. checking your age and residence);

checks based on your existing products with us (e.g. checking whether you
already have an account with us and how it is currently being managed);

checks to identify money laundering, criminal / terrorist activity or
cyber security threats that may pose a risk to you and our business.

Where we identify circumstances or threats that introduce a risk to you or our business,
we may not be able to provide you with access to our products or services.

Managing, tailoring and marketing our products and services

Where we have an existing relationship with you, we may use profiling and
automated decision making to help manage this relationship. We use these
techniques to ensure that we manage your accounts, products or services appropriately;
help you get the best out of your products and services; and provide you with
promotions or offers that we think you will be interested in.

We use data that you provide along with internal and third-party data to
place you into groups with similar types of people. We call these groupings
'segments' and these are used to help us understand, test and tailor our products,
services and marketing more appropriately depending on identified segment types.
Some examples of how we use profiling and decision making are:

Optimising and fulfilling on communications different communication
approaches are suitable for different types of people so we use segmentation to
provide you with the most appropriate communications for you;

Sending marketing and offers different marketing approaches may be
used with certain segments where we think our marketing will perform more effectively;

Tailoring or managing products we may tailor your accounts,
products or services based on a segment that you are grouped into
(e.g. changing product terms such as APR, closing accounts that have been
inactive or taking action to prevent customer indebtedness).

This approach helps us to manage our accounts, products, services and marketing
more effectively and meet industry and regulatory requirements
(e.g. around customer indebtedness). This profiling and automated decision making may
lead to changes on your account, product or service or in the way that we interact with you
(communications or marketing).

Your rights in relation to automated decision making

You have rights in relation to certain automated decision making which means that
before the end of the period of one month beginning with receipt of the automated
decision you can request us to:

reconsider the decision; or

take a new decision that is not based solely on automated decision making and ask that a person review it.

If these rights apply you will be notified. If you want to know more about these rights, please contact us.

6. Credit reference agencies (CRAs)

When you apply, use or register for our products and services, we may perform credit
and identity checks on you with one or more credit reference agencies ("CRAs").
We may also make periodic searches at the CRAs to manage your account with us or
fulfil on our services.

To do this, we will supply your personal information to the CRAs and they will give us
information about you. We may share information that you give to us; information about
your account; information about how you use our products and services and information about
your financial situation and financial history. CRAs will supply to us both public
(including the electoral register) and shared credit, financial history information
and fraud prevention information.

We will use this information to:

Assess your creditworthiness and whether you can afford to take the product;

Ensure any offers provided to you are appropriate to your circumstances;

Provide you with access to your credit bureau data where you have asked us to.

We may continue to exchange information about you with the CRAs while you have a
relationship with us in line with the product or service. We will also inform the
CRAs about your settled accounts. CRAs will record your outstanding debts and this
information may be supplied to other organisations by CRAs.

When CRAs receive an application search from us they will place a search
footprint on your credit file that may be seen by other lenders.

The identities of the CRAs; their role also as fraud prevention agencies; the data they hold;
the ways in which they use and share personal information; data retention periods and your data
protection rights with the CRAs are explained in more detail at:

7. Fraud prevention agencies (FPAs)

Before we provide products or services to you, we also undertake checks for the
purposes of preventing fraud and money laundering, and to verify your identity.
These checks require us to process personal data about you.

The personal data you have provided, we have collected from you,
or we have received from third parties will be used to prevent
fraud and money laundering, and to verify your identity.

Details of the personal information that will be processed include, for example:
name, address, date of birth, contact details, financial information, and device
identifiers including IP address.

We and fraud prevention agencies may also enable law enforcement agencies to
access and use your personal data to detect, investigate and prevent crime.

We process your personal data on the basis that we have a Legitimate Interest in
preventing fraud and money laundering, and to verify your identity, in order to
protect our business and to comply with laws that apply to us. Such processing is
also a contractual requirement of the products and services you have requested.

Fraud prevention agencies can hold your personal data for different periods of time,
and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.

Consequences of Processing

A record of any fraud or money laundering risk will be retained by fraud
prevention agencies, and may result in others refusing to provide products
or services to you.

Data Transfer

Whenever fraud prevention agencies transfer your personal data outside of the
European Economic Area, they impose contractual obligations on the recipients
of that data to protect your personal data to the standard required by the
European Economic Area. They may also require the recipient to subscribe to
"international frameworks" intended to enable secure data sharing.

8. Disclosures of your personal data

We may share personal data about you with various third parties and public sources
as set out in Our third parties for the purposes set out
in paragraph 4 above.

We require all third parties to respect the security of your personal data
and to treat it in accordance with the law. We do not allow our third-party
service providers to use your personal data for their own purposes and only
permit them to process your personal data for specified purposes and in
accordance with our instructions.

9. Our third parties

We use third parties to enable, perform or improve a range of our business processes.
These may require us to share your data with third parties and/or they may share your
data with us. These third parties may include (but are not limited to):

Third parties that enable us to understand, develop, improve and market our products and services:

Product, marketing and industry monitoring services and tools;

Market research, surveying, consultancy and benchmarking services;

Product/service/communications design and development services;

Marketing partners, affiliates and intermediaries;

Analytics and incident management services.

Third parties that enable us to uphold our lending, usage or registration criteria by
supporting creditworthiness, affordability and other checks – for example:

Third parties that work with us to help us fulfil on and service your accounts, products or services:

Communications fulfilment or development service providers;

Customer account management services;

Customer servicing (service agents, support and tools);

Payment services, payment schemes and network services;

Transaction enablement and dispute services;

Payment Protection Insurance (PPI) services including the ongoing
management and activities relating to the potential miss-sell of PPI.

Third parties that support the running of our business processes:

Business process systems and support providers;

Technical platforms, software and tools providers (e.g. tools that we use
to optimize and test on our website or mobile applications);

Platform management and support services;

Data storage, transfer and processing services;

Disaster recovery solution services;

Public relations support and consultancy services.

Third parties that work with us to ensure we help you reach the best possible outcome:

Regulators, advisory entities and consumer rights/advice bodies;

Customer complaints and dispute resolution services.

Third parties that support with debt management, debt placement, debt collection,
debt advice and potential purchasers (for assessment and transfer to your account).

Third parties that provide reporting, banking or tax management services
and enable us to manage our business financials and performance.

Other third parties, bodies or institutions where we are required by regulation,
law, industry practices or to detect/prevent fraud, crime, terrorist activity or
business risks e.g. regulators, law enforcement bodies, crime prevention bodies
and sharing information with other institutions to help detect and prevent fraud.

Some of our third parties may be international. See 'International transfers'
to understand how we manage our data internationally.

10. International transfers

Capital One (Europe) Plc is based in the UK and we keep our main databases here.
However, we do have operations inside and outside the European Economic Area (EEA)
and your data may be transferred to, or accessed from, those locations.

Specifically, Capital One has operations in the US, Canada, the Philippines and India.

As well as other Capital One operations, the service providers we share your data
with may have operations in the UK, in the EEA and elsewhere in the world.

While countries in the EEA must have the same high standard of data protection as
offered here in the UK, other parts of the world may not guarantee that same level
of protection. When we share your data with anyone outside of the EEA, we always
put in place the safeguards required by law to ensure that a consistent high level
of protection travels with your data.

If you want to learn more about the specific legal safeguards we use to transfer your data, see below.

Capital One (Europe) Plc is based in the UK and we keep our main databases here.
However, we do have operations inside and outside the European Economic Area (EEA)
and your data may be transferred to, or accessed from, those locations.

Specifically, Capital One has operations in the US, Canada, the Philippines and India.

As well as other Capital One operations, the service providers we share your data
with may have operations in the UK, in the EEA and elsewhere in the world.

While countries in the EEA must have the same high standard of data protection as
offered here in the UK, other parts of the world may not guarantee that same level
of protection. When we share your data with anyone outside of the EEA, we always
put in place the safeguards required by law to ensure that a consistent high level
of protection travels with your data.

If you want to learn more about the specific legal safeguards we use to transfer your data, see below.

Before we share your data outside the EEA, we must make sure there are safeguards
in place which provide adequate protections of your data. Where adequate safeguards
are established, your rights as a data subject continue to be protected even after
your data has been transferred outside the EEA.

We are able to share your data with other parties outside the EEA because adequate
protection is in place. This usually takes the form of a contract with the recipient which contains
data protection terms which have been approved by the European Commission and provide
a level of protection that is substantially equivalent to the protection given to your
data in the UK. These are known as "Model Contract Clauses".

We transfer some of your personal data to our US parent. The United States is a third
country under data protection legislation and as such we need to have adequate safeguards
in place to ensure that your data is transferred with an adequate level of protection.
We have a contract in place with our US parent which sets out terms upon which they can
process your data. This includes the "Model Contract Clauses" referred to above.

If you would like more specific details about the safeguards in place
when transferring your data outside the EEA, please email
DataProtection@capitalone.com.

11. Data security

We have put in place appropriate security measures to prevent your
personal data from being accidentally lost, used or accessed in an
unauthorised way, altered or disclosed. In addition, we limit access
to your personal data to those employees, agents, contractors and other
third parties who have a business need to know. They will only process
your personal data on our instructions and they are subject to a duty of
confidentiality.

We have put in place procedures to deal with any suspected personal data
breach and will notify you and any applicable regulator of a breach where
we are legally required to do so.

12. How long will you use my personal data for?

There are a number of reasons why we need to keep hold of your personal
data and our aim is to only retain it for as long as necessary to fulfil
the purposes we collected it for, including for the purposes of satisfying
any legal, accounting, or reporting requirements.

How long we keep it for depends on the type of data we're holding and why we need it.
To determine the appropriate retention period for personal data, we consider the amount,
nature, and sensitivity of the personal data, the potential risk of harm from unauthorised
use or disclosure of your personal data, the purposes for which we process your personal
data and whether we can achieve those purposes through other means, and the applicable
legal requirements.

If you apply and/or register for one of our products and/or services,
we will retain your personal data for up to seven years after your relationship with us ends.

If your application for one of our products is declined or you decide not to
progress with the application, we will retain your personal data for up to
18 months after your application or quotation search was made.

We may keep your data for longer than explained above if we cannot delete it for legal,
regulatory or technical reasons. If we do, we will continue to make sure your privacy is protected.

13. Your legal rights

Under certain circumstances, you have rights under data protection
laws in relation to your personal data. Please click on the links
below to find out more about these rights:

Right of access to your personal data

Right of access to your personal data (commonly known as a "data subject access request").
This enables you to receive a copy of the personal data we hold about you.

Right to rectification

Right to rectification of the personal data that we hold about you.
This enables you to have any incomplete or inaccurate data we hold about you corrected.
However, please note that we may need to verify the accuracy of the new data you provide to us.

Right of erasure ("right to be forgotten")

Right to erasure of your personal data
(also known as the "Right to be forgotten").
This enables you to ask us to delete or remove personal
data in the following circumstances:

where the personal data is no longer necessary for the purpose for which it was collected;

where there is no good reason for us continuing to process it;

where you have successfully exercised your Right to object to processing
of your personal data;

where we may have processed your information unlawfully or where we are
required to erase your personal data to comply with a legal obligation.

Note, however, that we may not always be able to comply with your request of erasure for specific
legal reasons which will be notified to you, if applicable, at the time of your request.

Right to object

Right to object to processing (including profiling) of your personal data where we are
relying on a Legitimate Interest (or those of a third party) and there is something
about your particular situation which makes you want to object to processing on this
ground as you feel it impacts on your fundamental rights and freedoms. In some cases,
we may demonstrate that we have compelling legitimate grounds to process your information
which override your rights and freedoms. You also have the right to object where we are
processing your personal data for direct marketing purposes.

Right to restriction of processing

Right to restriction of processing of your personal data. This enables you to
ask us to suspend the processing of your personal data in the following scenarios:
(a) if you want us to establish the data's accuracy (see Right of rectification);
(b) where our use of the data is unlawful but you do not want us to erase it;
(c) where you need us to hold the data even if we no longer require it as you need it to establish,
exercise or defend legal claims; or
(d) you have objected to our use of your data but we need to verify whether we have overriding
legitimate grounds to use it (see Right to object).

Right to data portability

Right to data portability of your personal data to you or to a third party.
We will provide to you, or a third party you have chosen, your personal data in a structured,
commonly used, machine-readable format. Note that this right only applies to automated
information which you initially provided consent for us to use or where we used the information
to perform a contract with you.

Right to complain to the ICO

Right to make a complaint to the Information Commissioner's Office (ICO),
the UK supervisory authority for data protection issues,
at any time
https://ico.org.uk/global/contact-us/ opens in a new tab.
We would, however, appreciate the chance to deal with your concerns
before you approach the ICO so please contact us in the first instance.

Right to object to direct marketing

Right to object to direct marketing at any time by following the
opt-out links on any marketing message sent to you or by contacting us.

Right to withdraw consent

Right to withdraw consent at any time. In certain circumstances, we
may need to get your consent before we can access or process your personal data.
If this happens, we will always ask for your consent first. If you have given us
consent in the past but subsequently change your mind, you can withdraw your consent
at any time.

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights).
However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive.
Alternatively, we may refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your
identity and ensure your right to access your personal data (or to exercise
any of your other rights). This is a security measure to ensure that personal
data is not disclosed to any person who has no right to receive it.
We may also contact you to ask you for further information in relation
to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests in relation to your legal
rights within one month. Occasionally it may take us longer than a month
if your request is particularly complex or you have made a number of requests.
In this case, we will notify you and keep you updated.

Contact Us

If you wish to exercise any of the rights set out above,
please contact us at Capital One, PO Box 5281, Nottingham NG2 3HX.

14. Glossary

Comply with a Legal Obligation means
processing your personal data where it is necessary for
compliance with a legal or regulatory obligation that we
are subject to.

Legitimate Interest means we have a
business or commercial reasons to use your data. We
can use your data to pursue Legitimate Interest of our
own or of other service providers. When we rely on our
Legitimate Interest, we make sure we consider and balance
any potential impact on you (both positive and negative)
and your rights before we process your personal data.
We do not use your personal data for activities where our
interests are overridden by the impact on you (unless we
have your consent or are otherwise required or permitted to by law).

Performance of the Contract means processing your
data where it is necessary for the performance of a contract to
which you are a party or to take steps at your request before
entering into such a contract.

Process means anything we do with your
data such as collecting, using, storing, sharing, monitoring,
analysing and deleting it.

Public Interest means the processing is necessary
for either carrying out a specific task in the public interest which
is laid down by law, or exercising official authority, e.g.
a public body's task, functions, duties or powers which is laid down by law.

Range of Products and Services means our website or tools
available on our website (e.g. QuickCheck and CreditWise). It would also
include our current lending products (e.g. our Classic Credit Card) or
historic products (e.g. loan products or our Aspire World Credit Card).
We also have services available to help you manage your account (e.g. Web
Servicing platform and Mobile Applications).

Substantial Public Interest means those laid down in data protection laws.